WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877

Plainview Activity Monitor plugin for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability using shell metacharacters in the ip parameter to inject and execute arbitrary OS commands on the system. The Plainview Activity Read more…

Linux Restricted Shell Bypass

Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations. Once hackers get a low privileged shell, even a restricted one, Read more…

Vulnerability Shellshock – CVE-2014-6271

Shellshock is effectively a Remote Command Execution vulnerability in BASH. The vulnerability relies in the fact that BASH incorrectly executes trailing commands when it imports a function definition stored into an environment variable. A lot of programs like SSH, telnet, CGI scripts allow bash to run in the background allowing Read more…

Fcrackzip – BruteForce ZIP protected files

fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords. Installation sudo apt install fcrackzip Before using fcrackzip we need a password protected zip file. zip –password <password><filename.zip> <data> zip –password vk9security new_file.zip data.txt How to use 1. Show help Read more…

BufferOverflow lab 3: Panel app (Linux)

This lab is intended to demonstrate how to exploit BoF in Linux. The vulnerable application is Panel which can be downloaded from a VulnHub machine (https://www.vulnhub.com/entry/pinkys-palace-v2,229/). The executable can be found at (https://github.com/vry4n/BoF-Panel-Linux) This application is a custom app that runs on port 31337 & it is vulnerable to Buffer Read more…

Ssh2john how to

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR How to 1. Having an RSA private key already cat id_rsa 2. locate the ssh2john script using find find / Read more…

How to use WPScan

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions. How to use 1. Display Read more…

Exploiting pChart 2.1.3 (Directory traversal & XSS)

PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). This has been taken from (https://www.exploit-db.com/exploits/31173) Exploiting Directory Traversal 1. Visiting the application at (http://192.168.0.18/pChart2.1.3/examples/index.php), we get to the examples folder. 2. This tool Read more…

Incident response, all you need to know.

Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, and full recovery, and post-incident analysis and learning. This post is a shorter summary of NIST official documentation. Read more…

Installing Splunk (Linux)

Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business. Mainly Splunk does these things: Ingests Data Parses, indexes and stores data Runs searches on index data For more info visit: Read more…

Domain info using Robtex

Robtex is a service which gathers public information about IP addresses, domain names, host names, Autonomous systems, and more. How to use 1. Access https://www.robtex.com/dns-lookup and search for the domain 2. In the results we can find Analysis DNS servers Mail servers IP address Quick Info FQDN DNS servers Records Read more…

How to use whois

Information gathering is the first step of Ethical Hacking, where the penetration tester or even hackers gather information on their target victims. To increase your chances of a “successful” hacking, you will need to do a good job and spend time on this stage. There is a couple of information Read more…

BufferOverflow lab 2: MiniShare

This time we’ll exploit Minishare 1.4.1. This is a web application that runs on port 80 as HTTP, you can share files and the users can download them from the site. I uploaded the application to GitHub (https://github.com/vry4n/BoF-MiniShare-1.4.1) Lab details Windows XP x86 (192.168.0.5) Immunity debugger MiniShare 1.4.1 Kali (192.168.0.20) Read more…

BufferOverflow lab 1: FreeFloat FTP Server

This lab is intended to demonstrate how to exploit BoF in Windows. The vulnerable application is FreeFloat which can be downloaded from (https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip). The Freefloat FTP Server has many vulnerable parameters, which can be useful to practice on, and we will choose one of them here to do a full Read more…

How to use Veil to create payloads

 Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Installation 1. Run the commands below and wait for installation to complete sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh –force –silent 2. Upon completion. You can run the application with the command Read more…

Active Directory & DNS Lab

This time we will configure basic AD and DNS functionality. The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual Read more…

How to Set up & Use C2 PoshC2

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes Read more…

How to Set up & Use C2 Sliver

Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) Read more…

How to Set up & Use C2 Empire

Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. Documentation GitHub: https://github.com/BC-SECURITY/Empire Client: https://github.com/BC-SECURITY/Starkiller Installation Server 1. Download Read more…

How to Set up & Use C2 Covenant

Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that Read more…

How to Set up & Use C2 Silent Trinity

SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It’s the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API’s, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim Read more…

Hardening SMB

Server Message Block (SMB) is a networking file share protocol included in Windows workstation and Windows server that provides the ability to read and write files and perform other service requests to network devices on a share. Windows supports file and printer sharing traffic by using the Server Message Block Read more…

SMTP Injection attack

Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server Read more…

How to set up bWAPP – Linux

bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows. https://github.com/jehy-security/bwapp https://sourceforge.net/projects/bwapp/ Installation 1. Download the Read more…

Basics of Path Traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker Read more…

How to set up Mutillidae – Linux

Mutillidae is a vulnerable framework where you can practice OWASP top 10, https://owasp.org/www-project-top-ten/ Download https://sourceforge.net/projects/mutillidae/ sudo git clone https://github.com/webpwnized/mutillidae.git 1. Install the required repositories (in this case I’m using php 7.3) sudo apt-get install php7.3-curl php7.3-mbstring php7.3-xml Extra Show php version php –version 2. Extract the Mutillidae content in /var/www/html Read more…

Introduction – Hacking with BeEF

BeEF utilizes YAML files in order to configure the core functionality, as well as the extensions. Most of the core BeEF configurations are in the main configuration file: config.yaml, found in the BeEF directory. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses Read more…

Hiding public IP – Anonsurf

Anonsurf uses TOR iptables to anonymize the whole system. Anonsurf gives users the capability of starting or stopping the I2P project. https://github.com/Und3rf10w/kali-anonsurf Installation 1. Download the file from github git clone https://github.com/Und3rf10w/kali-anonsurf.git 2. Run installer located in the download folder kali-anonsurf sudo bash installer.sh 3. Run the application after successful Read more…

Blind SQL injection

Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely Read more…

SMTP lab (hMailServer)

This has been writen to explain the steps to set a basic insecure SMTP lab. We are using hMailServer to act as a mail server & Thunderbird as mail client. https://www.hmailserver.com/ https://www.thunderbird.net/ Mail Server (hMailServer) 1. Start the wizzard 2. Next, Accept the license 3. Select the install folder, next Read more…

Securing Apache

Apache is an open-source and free web server software How to use the services (System V) Start /etc/init.d/apache2 start Or sudo service apache2 start View Status service apache2 status Restart the service service apache2 restart Stop the service service apache2 stop service apache2 status Steps for RHEL 4.x/5.x/6.x or older Read more…

Nikto – How to

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. This tool is written in Perl language. Open-source web server scanner that examines a website and reports back vulnerabilities. you can use with any Read more…

Crunch – How to

Crunch is a utility that is used to create wordlists using letters, numbers, and symbols for every possible combination or according to specific rules. Syntax to create the wordlist (lowercase letters, then uppercase letters, then numbers and finally symbols) crunch <min-len> <max-len> [<charset string>] [options] https://sourceforge.net/projects/crunch-wordlist/ How to use 1. Read more…

Cewl – How to

Cewl is a wordlist generator written in Ruby language, it spiders a given URL to a specified depth. It returns a list of words which can then be used for password crackers such as John the Ripper. https://github.com/digininja/CeWL It comes installed in most security OS How to use 1. Display Read more…

SSH Port Forwarding

SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. IT professionals use it for opening backdoors into the internal network from their home machines. If a port is blocked by a Firewall, you can use SSH Read more…

Magescan how to – Magento

Used to test the quality and security of a Magento site you don’t have access to. This is a scanner for Magento https://github.com/steverobbins/magescan Installation 1. Download it from https://github.com/steverobbins/magescan/releases. (.phar file) 2. Show help -h, –help = Display this help message php magescan.phar –help 3. Display version of the app Read more…

Sqlmap how to

 sqlmap is one of the most popular and powerful SQL injection automation tool out there. Given a vulnerable http request URL, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read Read more…

Nessus How to

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities, it uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It is a paid tool and requires licenses for extension on the features. However, there Read more…

dirsearch how to

dirsearch is a simple command line tool designed to brute force directories and files in websites. https://github.com/maurosoria/dirsearch Installation 1. Download the source code git clone https://github.com/maurosoria/dirsearch.git ls cd dirsearch/ ls 2. To execute the program ./dirsearch.py python3 dirsearch.py How to use 1. Display the help menu ./dirsearch.py –help Search -w Read more…

79/tcp finger – Enumeration

Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users. Nmap result finger-user-enum finger-user-enum is a script used to enumerate users https://github.com/pentestmonkey/finger-user-enum Username guessing tool primarily Read more…

Gobuster How to

Gobuster is a tool used to brute-force on URLs (directories and files) in websites and DNS subdomains. Gobuster can be downloaded through the apt- repository and thus execute the following command for installing it. https://github.com/OJ/gobuster Gobuster is a tool used to brute-force: URIs (directories and files) in web sites. DNS Read more…

Joomscan how to

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited Read more…

Using Find Linux command

find searches the directory tree rooted at each given starting-point by evaluating the given expression from left to right. In this article we will explore the most useful commands. Useful commands 1. Basic search of a file named vk9-security.txt, starting at / position find / -name vk9-security.txt 2. The same Read more…

ssl-heartbleed – CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka Read more…

laravel – schedule task – crontab

Laravel is a web application framework with expressive, elegant syntax. https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/ https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You’ll manage the task execution definitions in app/Console/Kernel.php Scheduling Your Command As was perhaps made obvious by the earlier Read more…

Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite

This time we will be exploring RFI and read file explorer https://wiki.owasp.org/index.php/Testing_for_Remote_File_Inclusion RFI Remote file inclusion allows an attacker to include file remote (from the web servers point of view) possibly allowing code execution, denial of service, and data disclosure. Since RFI occurs when paths passed to “include” statements are Read more…

Attacking & Securing Session Management

I am writing this based on OWASP and the book “The Web Application Hacker’s Handbook”. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html Introduction The HTTP protocol is essentially stateless. It is based on a simple request-response model, in which each pair of messages represents an independent transaction. applications use HTTP cookies as the transmission mechanism for Read more…

SDLC – programming securely

SDLC – programming securely The Software Development Lifecycle(SDLC) is a systematic process for building software that ensures its quality and correctness. It is a framework that defines tasks performed at each step in the software development process. A formally defined method for software development in the form of the SDLC Read more…